The problem has to do with PackageKit's handling of distribution scripts. An attacker sitting between Apple's update server and a user could make changes in the scripts to abuse a format string in the script. PackageKit appears to be the program which interprets this script and is victimized by the attack.

Apple says improved validation of distribution scripts in the update fixes the issue.

This update (as I see it) raises some questions: Aren't they distributing these scripts via SSL/TLS? If so, how is the man-in-the-middle attack accomplished? If not, well why not?